From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.7 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3BA45C35240 for ; Fri, 31 Jan 2020 12:20:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 11FAD217BA for ; Fri, 31 Jan 2020 12:20:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728575AbgAaMUR (ORCPT ); Fri, 31 Jan 2020 07:20:17 -0500 Received: from zeniv.linux.org.uk ([195.92.253.2]:40816 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728479AbgAaMUR (ORCPT ); Fri, 31 Jan 2020 07:20:17 -0500 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1ixVHR-005DvB-Og; Fri, 31 Jan 2020 12:20:13 +0000 Date: Fri, 31 Jan 2020 12:20:13 +0000 From: Al Viro To: "Rantala, Tommi T. (Nokia - FI/Espoo)" Cc: "gregkh@linuxfoundation.org" , "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" Subject: Re: [PATCH 4.19 43/92] do_last(): fetch directory ->i_mode and ->i_uid before its too late Message-ID: <20200131122013.GF23230@ZenIV.linux.org.uk> References: <20200128135809.344954797@linuxfoundation.org> <20200128135814.584735840@linuxfoundation.org> <5cbe397b7f7bb0f8bd579080c8a4c41d7b359632.camel@nokia.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5cbe397b7f7bb0f8bd579080c8a4c41d7b359632.camel@nokia.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 31, 2020 at 10:08:37AM +0000, Rantala, Tommi T. (Nokia - FI/Espoo) wrote: > On Tue, 2020-01-28 at 15:08 +0100, Greg Kroah-Hartman wrote: > > From: Al Viro > > > > commit d0cb50185ae942b03c4327be322055d622dc79f6 upstream. > > > > may_create_in_sticky() call is done when we already have dropped the > > reference to dir. > > > > Fixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and > > regular files) > > Signed-off-by: Al Viro > > Signed-off-by: Greg Kroah-Hartman > > > > --- > > fs/namei.c | 17 ++++++++++------- > > 1 file changed, 10 insertions(+), 7 deletions(-) > > > > --- a/fs/namei.c > > +++ b/fs/namei.c > > [...] > > @@ -3258,6 +3259,8 @@ static int do_last(struct nameidata *nd, > > struct file *file, const struct open_flags *op) > > { > > struct dentry *dir = nd->path.dentry; > > + kuid_t dir_uid = dir->d_inode->i_uid; > > I hit the following oops in 4.19.100 while running kselftests. > > fs/namei.c:3262 matches the line above. > > Any ideas? Yes. Make those two line kuid_t dir_uid = nd->inode->i_uid; umode_t dir_mode = nd->inode->i_mode; I'm pretty sure that I know which way I'd fucked up there; we can get here in RCU mode with stale nd->path.dentry (that would make the thing fail with -ECHILD. with retry in non-RCU mode). In non-stale case nd->inode is the same as nd->path.dentry->d_inode and it's always pointing to a struct inode that hadn't been freed yet.